Package com.broadleafcommerce.auth.security.service

Class DefaultPrivilegeService

java.lang.Object
com.broadleafcommerce.auth.security.service.DefaultPrivilegeService
All Implemented Interfaces:
PrivilegeService
public class DefaultPrivilegeService extends Object implements PrivilegeService

  • Field Details

  • Constructor Details

  • Method Details

    • getUserPrivilegeSummary

      public PrivilegeSummary getUserPrivilegeSummary(@NonNull @NonNull User user, @NonNull @NonNull String serverId)
      Description copied from interface: PrivilegeService
      Gets a PrivilegeSummary of user's consolidated authorities, restrictions, and restricted authorities.
      Specified by:
      getUserPrivilegeSummary in interface PrivilegeService
      Parameters:
      user - User to get the PrivilegeSummary for
      serverId - id of the AuthorizationServer
      Returns:
      a PrivilegeSummary of user's authorities, restrictions, and restricted authorities
      See Also:

    • grantSandboxAccessIfGrantedWorkflowAccess

      protected void grantSandboxAccessIfGrantedWorkflowAccess(Set<String> allAuthorities, Map<String,Map<String,Set<String>>> restrictedAuthorities)

      It is possible that a user has been granted 'ALL_USER_WORKFLOW' with the intention that they should participate in sandboxing flows, but for whatever reason they were not granted a minimum of 'READ_SANDBOX' access. If so, they will not be able to read sandboxes, and therefore won't be able to obtain a value to supply in ContextRequest.getSandboxId(). Requests without a ContextRequest.getSandboxId() go directly to production, which would be surprising/unexpected behavior (particularly in the Broadleaf admin).

      This method engages as a soft correction to ensure a user with 'ALL_USER_WORKFLOW' access will automatically also be granted access to 'READ_SANDBOX'. If the user has been explicitly assigned any sandbox-related authorities, those will take precedence.

      Parameters:
      allAuthorities - a value destined for PrivilegeSummary.getAllAuthorities(). This will be directly mutated by this method.
      restrictedAuthorities - a value destined for PrivilegeSummary.getRestrictedAuthorities(). This will be directly mutated by this method.

    • addSandboxAccessToAllAuthoritiesIfGrantedWorkflowAccess

      protected void addSandboxAccessToAllAuthoritiesIfGrantedWorkflowAccess(Set<String> allAuthorities)

    • mergeUserWorkflowWithReadSandboxIfNeeded

      protected void mergeUserWorkflowWithReadSandboxIfNeeded(Map<String,Map<String,Set<String>>> restrictedAuthorities)

    • getHydratedPrivileges

      protected DefaultPrivilegeService.PrivilegeHydrationResult getHydratedPrivileges(@NonNull @NonNull User user, @NonNull @NonNull String serverId)
      Determine restrictions, flat permissions, restricted roles, and restricted permissions for a User and on an AuthorizationServer.
      Parameters:
      user - The User to get the permissions for.
      serverId - The ID of the AuthorizationServer that is being authenticated against.
      Returns:
      A DefaultPrivilegeService.PrivilegeHydrationResult with the permissions, roles, and restrictions of the given User on the indicated server.

    • getRoleIds

      protected Set<String> getRoleIds(@NonNull @NonNull User user)
      Get the set of all of a user's roles, including account roles for the active account.
      Parameters:
      user - The User to get the roles for
      Returns:
      The set of role ids for the given User.

    • getAccountRoles

      protected Collection<String> getAccountRoles(User user)
      Get a User's account roles for the active account.
      Parameters:
      user - The User to get the roles for
      Returns:
      A collection of the ids of the UserRoles that the given user has for the active account.

    • getRoleIds

      protected Set<String> getRoleIds(@NonNull @NonNull AuthorizationServer server)
      Get the ids of the default UserRoles for the given AuthorizationServer.
      Parameters:
      server - The AuthorizationServer to get default UserRoles from.
      Returns:
      The set of role ids for the default UserRoles of the given AuthorizationServer.

    • getRoleIds

      protected Set<String> getRoleIds(@NonNull @NonNull Set<RestrictedRole> restrictedRoles)
      Transform a set of RestrictedRole into a set of role ids.
      Parameters:
      restrictedRoles - The set of RestrictedRole from which to get role ids.
      Returns:
      The set of UserRole ids from the given RestrictedRoles.

    • getAccountWithAncestors

      protected List<String> getAccountWithAncestors(User user)
      Get a list of Account ids for the active account id and any parent accounts. The active account id is specified by a request parameter and set as a request attribute by the ClientIdFilter. The list will be ordered from top parent to the active account.
      Returns:
      List of account ids of the active account and all ancestor accounts.
      See Also:

    • getAllAuthorities

      protected Set<String> getAllAuthorities(@NonNull @NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult)
      Gets all the authorities from the flat permissions, permissions from restricted roles, and permissions from restricted permissions.

      The expanded CRUD_* permissions from ALL_* permissions are also added into the authorities (on top of the ALL_* permissions).

      Parameters:
      privilegeHydrationResult - DefaultPrivilegeService.PrivilegeHydrationResult to get all the authorities from
      Returns:
      a set of all authorities, restricted or not

    • isAllPermission

      protected boolean isAllPermission(String permissionName)
      Determine if the given permission is an "ALL_" permission.
      Parameters:
      permissionName - The permission to check.
      Returns:
      True if the given permission starts with "ALL_".
      See Also:

    • getPermissionsFromRestrictedPrivileges

      protected Set<UserPermissionRef> getPermissionsFromRestrictedPrivileges(@NonNull @NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult)
      Gets all the permissions from restricted roles and their ancestors, and restricted permissions.
      Parameters:
      privilegeHydrationResult - DefaultPrivilegeService.PrivilegeHydrationResult to get all the permissions from restricted privileges
      Returns:
      a set of all permissions from the restricted privileges

    • getRestrictionTypeAndTargetsByPermissionName

      protected Map<String,Map<String,Set<String>>> getRestrictionTypeAndTargetsByPermissionName(@NonNull @NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult)
      Gets a consolidated map of restricted permissions with the combination of flat permissions and restrictions, restricted roles, and restricted permissions from a User. This also includes the flat permissions from AuthorizationServer.getDefaultUserPermissions() and those inherited from AuthorizationServer.getDefaultUserRoles() and their ancestors. Flat permissions and restrictions are converted into a map of equivalent restricted permissions. Similarly, restricted roles are also converted into equivalent restricted permissions.

      For example, if an entity has READ_PRODUCT as flat permission (that came either from its direct flat permissions or from a flat role) with a flat vendor restriction on vendorA, it is then converted into a restricted permission as such: {READ_PRODUCT: {VENDOR: [vendorA]}}.

      Likewise, if an entity has a role that has READ_PRODUCT permission assigned, and has the role added as restricted role on vendorA, it is then converted into a restricted permission as well: {READ_PRODUCT: {VENDOR: [vendorA]}}.

      Parameters:
      privilegeHydrationResult - DefaultPrivilegeService.PrivilegeHydrationResult to consolidate the permissions, restrictions, restricted roles, and restricted permissions for a user
      Returns:
      a consolidated map of restricted permissions from flat permissions, restrictions, restricted roles, and restricted permissions from a User, along with flat permissions from the AuthorizationServer

    • getRestrictionTypeAndTargetsByPermissionName

      protected Map<String,Map<String,Set<String>>> getRestrictionTypeAndTargetsByPermissionName(@NonNull @NonNull Set<UserPermissionRef> flatPermissions, @NonNull @NonNull Set<Restriction> restrictions)
      Maps each UserPermissionRef with all of Restriction. Doing this to convert flat permissions and restrictions into the map structure of restricted permissions, which helps the restricted authorities consolidation.

      However, when there's no flat permissions, the restrictions are not added.

      Note: The expanded CRUD_* permissions from ALL_* permissions are also added into the map (on top of the ALL_* permissions).

      Parameters:
      flatPermissions - Set of UserPermissionRef
      restrictions - Set of Restriction
      Returns:
      a map of restricted permissions converted from restrictions and flat permissions

    • getRoleWithAncestorsByRoleId

      protected Map<String,Collection<UserRole>> getRoleWithAncestorsByRoleId(@NonNull @NonNull Set<String> roleIds)
      Gets roles along with their ancestry roles mapped by given role id.
      Parameters:
      roleIds - role ids to get the roles and ancestry roles for
      Returns:
      a collection containing the given roles along with their ancestors mapped by given role id

    • getAllFlatPermissions

      protected Set<UserPermissionRef> getAllFlatPermissions(@NonNull @NonNull User user, @NonNull @NonNull AuthorizationServer server, @NonNull @NonNull Collection<UserRole> userAndServerRolesWithAncestors)
      Gets a set of all flat permissions from User.getPermissions(), AuthorizationServer.getDefaultUserPermissions(), and permissions from the given roles.
      Parameters:
      user - User to get the permissions for
      server - AuthorizationServer to get the permissions for
      userAndServerRolesWithAncestors - Collection of roles to get all the permissions from. This is typically a collection of user's and server's roles along with their ancestors to prevent the need of querying all ancestry roles every time
      Returns:
      a set containing the flat permissions from the given user, server, and roles

    • getAllFlatPermissions

      protected Set<UserPermissionRef> getAllFlatPermissions(@NonNull @NonNull Collection<UserRole> roles)
      Gets a set of all UserRole.getPermissions() from the given roles
      Parameters:
      roles - Collection of roles to get all the permissions from
      Returns:
      a set containing the flat permissions from the given roles

    • getRestrictionTypeAndTargetsByPermissionNameForRestrictedRoles

      protected Map<String,Map<String,Set<String>>> getRestrictionTypeAndTargetsByPermissionNameForRestrictedRoles(@NonNull @NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult)
      Maps each UserPermissionRef from the RestrictedRole with the corresponding restriction. Doing this to convert permissions assigned to the restricted role and restricted role restrictions into the map structure of restricted permissions, which helps the comparisons of restrictiveness.

      The expanded CRUD_* permissions from ALL_* permissions are also added into the map with the same restrictions (on top of the ALL_* permissions).

      Parameters:
      privilegeHydrationResult - DefaultPrivilegeService.PrivilegeHydrationResult to get restricted roles from
      Returns:
      a map converted from the given set of restricted roles

    • getRestrictionTypeAndTargetsByPermissionNameForRestrictedPermissions

      protected Map<String,Map<String,Set<String>>> getRestrictionTypeAndTargetsByPermissionNameForRestrictedPermissions(@NonNull @NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult)
      Converts the Set of RestrictedPermission to a Map with the structure of: { permissionName: { restrictionType: [restrictionTargets] } }.

      The expanded CRUD_* permissions from ALL_* permissions are also added into the map with the same restrictions (on top of the ALL_* permissions).

      Parameters:
      privilegeHydrationResult - DefaultPrivilegeService.PrivilegeHydrationResult to get restricted permissions from
      Returns:
      Converted Map

    • getMergedRestrictionTypeAndTargetsByPermissionName

      protected Map<String,Map<String,Set<String>>> getMergedRestrictionTypeAndTargetsByPermissionName(@NonNull @NonNull Map<String,Map<String,Set<String>>> restrictionTypeAndTargetsByPermissionName1, @NonNull @NonNull Map<String,Map<String,Set<String>>> restrictionTypeAndTargetsByPermissionName2)
      Gets a Map that is a combination of the two given restrictionTypeAndTargetsByPermissionName maps.
      Parameters:
      restrictionTypeAndTargetsByPermissionName1 - first Map to combine with
      restrictionTypeAndTargetsByPermissionName2 - second Map to combine with
      Returns:
      a map that is a combination of the two given maps

    • getMergedRestrictionTargetsByRestrictionType

      protected Map<String,Set<String>> getMergedRestrictionTargetsByRestrictionType(@NonNull @NonNull Map<String,Set<String>> restrictionTargetsByRestrictionType1, @NonNull @NonNull Map<String,Set<String>> restrictionTargetsByRestrictionType2)
      Gets a Map that is a combination of the two given restrictions maps.
      Parameters:
      restrictionTargetsByRestrictionType1 - first Map to combine with
      restrictionTargetsByRestrictionType2 - second Map to combine with
      Returns:
      a map that is a combination of the two given maps

    • getRestrictionTargetsByRestrictionType

      public Map<String,Set<String>> getRestrictionTargetsByRestrictionType(@NonNull @NonNull Set<Restriction> restrictions)
      Description copied from interface: PrivilegeService
      Converts the Set of Restriction to a Map with the structure of: {restrictionType: [restrictionTargets]}.
      Specified by:
      getRestrictionTargetsByRestrictionType in interface PrivilegeService
      Parameters:
      restrictions - Set of Restriction
      Returns:
      a map with restriction type as key and restriction targets as value converted from the given set of restrictions

    • addRestrictionToMap

      protected void addRestrictionToMap(@NonNull @NonNull Map<String,Set<String>> map, @NonNull @NonNull Restriction restriction)
      Add Restriction targets to the given Map by restriction type.
      Parameters:
      map - The map to add Restriction targets.
      restriction - A Restriction on the data in which a user has access.

    • addRestrictionByExpandedPermissionNames

      protected void addRestrictionByExpandedPermissionNames(@NonNull @NonNull Map<String,Map<String,Set<String>>> restrictionTypeAndTargetsByPermissionName, @NonNull @NonNull Restriction restriction, @NonNull @NonNull String permissionName)
      Add both ALL_* permissions and expanded CRUD_* permissions with the given restriction to the map.
      Parameters:
      restrictionTypeAndTargetsByPermissionName - the restrictionTypeAndTargetsByPermissionName map to add the permission names with restriction to
      restriction - restriction to be added with the given permission name
      permissionName - permission name to add along with the given restriction

    • isExplodePermissions

      public boolean isExplodePermissions()

    • getUserRoleService

      protected UserRoleService<UserRole> getUserRoleService()

    • getRoleAncestryHydrationService

      protected UserRoleAncestryHydrationService getRoleAncestryHydrationService()

    • getServerService

      protected AuthorizationServerService<AuthorizationServer> getServerService()

    • getAccountAncestorService

      protected AccountAncestorService getAccountAncestorService()

    • getTokenProperties

      protected TokenProperties getTokenProperties()